Homepage spreading faster than Kournikova worm

Epidemic exposes AV software flaws

Common Topics

The spread of the Homepage Internet worm has exposed the deficiencies of the way many firms set up their virus protection, and raised questions about the effectiveness of antivirus software.

Homepage is an Internet worm written using the Visual Basic Script Worm Generator virus writing kit, which also spawned the Anna Kournikova worm, and if anything it is spreading even more rapidly. A number of firms have been forced to take down their Exchange servers in order to contain its outbreak.

After it was unleashed onto the Internet, probably late last night, the virus infected a number of organisations in Australia and Asia - including the Australian Parliament - before vendors of many antivirus firms had a chance to update their packages in the early hours of this morning.

Alex Shipp, an antivirus technologist at managed services firm MessageLabs, which scans its customers email for viruses, said "most AV software has failed to detect the virus heuristically [automatically]" and this was one reason why the outbreak has been so severe.

MessageLabs uses antivirus packages from Network Associates, F-Secure and Cybersoft. It also monitors the performance of antivirus software from other vendors and found that packages from Symantec and Trend Micro, which claim to provide heuristic protection, didn't automatically picked up the Homepage worm. According to MessageLabs' Shipp only Network Associates software picked up the virus automatically.

A source at IT firm Agilent said that Trend Micro's automatic update service didn't update its virus protection, and it had to update files downloaded manually via FTP.

"Our email monitoring tools showed that over 400,000 messages were sent internally as a result of infection," our source at Agilent told us.

Homepage arrives in an email that appears to be harmless home page recommendation but in reality directs victims who open an infected attachment to one of four porn web sites. It emails a copy of itself to everyone in a victims Outlook address book.

Since midnight Messagelabs has intercepted more than 21,000 copies of the virus and it estimates that one in 50 emails contain the virus. This suggests the virus is affecting the performance of the Internet even for those users who have escaped infection. ®